File curl-CVE-2026-3805.patch of Package curl.43131

From e090be9f73a7a71459ef678c7cc4b1f75e3ea883 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Sun, 8 Mar 2026 14:30:00 +0100
Subject: [PATCH] smb: free the path in the request struct properly

Closes #20854
---
 lib/smb.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

Index: curl-8.14.1/lib/smb.c
===================================================================
--- curl-8.14.1.orig/lib/smb.c
+++ curl-8.14.1/lib/smb.c
@@ -448,9 +448,7 @@ static void smb_easy_dtor(void *key, siz
   struct smb_request *req = entry;
   (void)key;
   (void)klen;
-  /* `req->path` points to somewhere in `struct smb_conn` which is
-   * kept at the connection meta. If the connection is destroyed first,
-   * req->path points to free'd memory. */
+  Curl_safefree(req->path);
   free(req);
 }
 
@@ -1230,7 +1228,7 @@ static CURLcode smb_parse_url_path(struc
                                    struct smb_request *req)
 {
   char *path;
-  char *slash;
+  char *slash, *s;
   CURLcode result;
 
   /* URL decode the path */
@@ -1239,6 +1237,7 @@ static CURLcode smb_parse_url_path(struc
     return result;
 
   /* Parse the path for the share */
+  Curl_safefree(smbc->share);
   smbc->share = strdup((*path == '/' || *path == '\\') ? path + 1 : path);
   free(path);
   if(!smbc->share)
@@ -1258,12 +1257,15 @@ static CURLcode smb_parse_url_path(struc
   /* Parse the path for the file path converting any forward slashes into
      backslashes */
   *slash++ = 0;
-  req->path = slash;
+  for(s = slash; *s; s++) {
+    if(*s == '/')
+      *s = '\\';
+  }
+  /* keep a copy at easy struct to not share this with connection state */
+  req->path = strdup(slash);
+  if(!req->path)
+    return CURLE_OUT_OF_MEMORY;
 
-  for(; *slash; slash++) {
-    if(*slash == '/')
-      *slash = '\\';
-  }
   return CURLE_OK;
 }